Trend Micro’s Rik Ferguson blogs about current security issues.

Belgian pump and dump botnet

According to a report in Belgian newspaper De Tijd, malware has been used to compromise the online portfolios of Belgian investors. The botnet was then used to influence stock prices, making the criminals more than 100,000 Euros. The investigation has remained secret until today.

Image from rednuht's Flickr photostream under Creative Commons

The federal prosecutor and the computer crimes unit of the national police in Belgium were looking into events that took place in 2007. Between April and May 2007 criminals infected the PCs of customers of the the banks Dexia, KBC and Argenta with a bot (the exact nature of the bot is unspecified) which stole the usernames and passwords for online share trading platforms.

The article goes on to detail what appears to be a highly targeted, custom written attack that was able to automate stock trades across the botnet

“With a push of a button the botmaster instructs all the computers to buy or sell the same shares at the same time.“

Of course the criminals behind the enterprise went on to profit from the sharp changes in stock price of the penny stocks that were being manipulated by buying and selling their own shares at exactly the right moments in classic pump-and-dump tactics.

Hein Lannoy from the Belgian Banking, Finance and Insurance Commission (CBFA) is quoted as stating, “After the hack in July 2007 no further similar incidents occurred in the country“. He goes on to say “In April 2009 we sent a circular regarding an improvement in the security standards of our financial institutions. Belgian online banking services are now very heavily protected. We have no jurisdiction to impose our standards on foreign banks in our country.”

However from conversations with a local journalist today it seems that many Belgian banks (in fact most banks globally) are still only offering classical two-factor authentication aimed at authenticating the user rather than the transaction. While this kind of technology would certainly thwart this bot in its current form it is not impossible to defeat. As I have previously blogged banking malware has already evolved to the stage where it can overcome multiple factor user authentication.

With this in mind it is vital that any improvment in online banking security should verify individual transactions rather than simply authenticate the user. The authentication token itself must be capable of accepting direct input relating to the content or the value of the transaction. This can then be verified by both parties and cannot be modified by the malicious “man in the browser”.

Belgian law enforcement are now working with their international counterparts to pursue the offenders.